package net.shibboleth.metadata.validate.x509;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.metadata.Item;
import net.shibboleth.metadata.pipeline.StageProcessingException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.commons.codec.binary.Hex;
import org.springframework.core.io.Resource;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/validate/x509/X509RSAOpenSSLBlacklistValidator.class */
public class X509RSAOpenSSLBlacklistValidator extends AbstractX509Validator {
    private Resource blacklistResource;
    private int keySize;
    private final byte[] openSSLprefix = {77, 111, 100, 117, 108, 117, 115, 61};
    private final Set<String> blacklistedValues = new HashSet();

    public X509RSAOpenSSLBlacklistValidator() {
        setId("OpenSSLBlacklist");
    }

    @Nullable
    public Resource getBlacklistResource() {
        return this.blacklistResource;
    }

    public synchronized void setBlacklistResource(@Nonnull Resource resource) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.blacklistResource = (Resource) Constraint.isNotNull(resource, "blacklist resource can not be null");
    }

    public void setKeySize(int i) {
        this.keySize = i;
    }

    public int getKeySize() {
        return this.keySize;
    }

    @Nonnull
    private String openSSLDigest(@Nonnull BigInteger bigInteger) throws StageProcessingException {
        try {
            byte[] byteArray = bigInteger.toByteArray();
            if (byteArray[0] == 0) {
                byteArray = Arrays.copyOfRange(byteArray, 1, byteArray.length);
            }
            char[] encodeHex = Hex.encodeHex(byteArray, false);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                byteArrayOutputStream.write(this.openSSLprefix);
                for (char c : encodeHex) {
                    byteArrayOutputStream.write((byte) c);
                }
                byteArrayOutputStream.write(10);
                MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
                messageDigest.update(byteArrayOutputStream.toByteArray());
                return String.valueOf(Hex.encodeHex(messageDigest.digest(), true)).substring(20);
            } catch (IOException e) {
                throw new StageProcessingException("internal error writing to ByteArrayStream", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new StageProcessingException("could not create message digester", e2);
        }
    }

    @Override // net.shibboleth.metadata.validate.x509.AbstractX509Validator
    public void doValidate(@Nonnull X509Certificate x509Certificate, @Nonnull Item<?> item, @Nonnull String str) throws StageProcessingException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        PublicKey publicKey = x509Certificate.getPublicKey();
        if ("RSA".equals(publicKey.getAlgorithm())) {
            BigInteger modulus = ((RSAPublicKey) publicKey).getModulus();
            if (this.keySize == 0 || this.keySize == modulus.bitLength()) {
                String openSSLDigest = openSSLDigest(modulus);
                if (this.blacklistedValues.contains(openSSLDigest)) {
                    addError("RSA modulus included in key blacklist (" + openSSLDigest + ")", item, str);
                }
            }
        }
    }

    protected void doDestroy() {
        this.blacklistResource = null;
        this.blacklistedValues.clear();
        super.doDestroy();
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.blacklistResource == null) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", blacklistResource must not be null");
        }
        if (!this.blacklistResource.exists()) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", blacklistResource " + this.blacklistResource.getDescription() + " does not exist");
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(this.blacklistResource.getInputStream()));
            Throwable th = null;
            while (true) {
                try {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        } else if (readLine.trim().length() != 0) {
                            if (readLine.charAt(0) != '#') {
                                this.blacklistedValues.add(readLine);
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            }
            if (bufferedReader != null) {
                if (0 != 0) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    bufferedReader.close();
                }
            }
        } catch (IOException e) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", error reading blacklistResource " + this.blacklistResource.getDescription() + " information", e);
        }
    }
}
